This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

How to anthenticate via another object

Jan 3rd, 2005, 10:10 AM

Hi Ben:
I have been using Acegi for the past two days. Here is what I like to do. I have an object that is called Userstore which holds all the user information. The API I have with userstore is boolean athenticate(String username, String password). I like to use acegi to do the authentication without too much change of the userstore. In another word, I would like userstore to operate without the knowledge of acegi. Only acegi is sending information to get the userstore and use its api. There are methods inside userstore like constructors so I can get a good userstore to start it with.
Anyway, I am taking a baby steps approach so eventually I like to use cas to talk to the userstore. Can I get some help on this please
Thanks

At minimum your Authentication object needs to hold username, password, and GrantedAuthority[]s. I can see where the former two would come from with your Userstore, but what about GrantedAuthority[]s?

The easier approach is undoubtedly to not use Userstore at all, and write an AuthenticationDao implementation that sources the authentication data from the same backend location as your Userstore would use. An AuthenticationDao has a single method, is very easy to write, and will deliver you good compatibility with whatever you decide to do in the future (eg move to CAS).

If you have strong reasons to use Userstore, you'll need to write an AuthenticationProvider that communicates with it. The AuthenticationProvider will unwrap Authentication requests, present them to Userstore, receive the Userstore respond, and create a response Authentication object to return to the caller. As you can see, it's a lot more work than the minor persistence-related code of an AuthenticationDao.

Comment

Well thanks Ben. I gues I need to be much more clear about the userstore. It is a essential component of the program. yet it is done through spring, as you can see, it is an object that hides all the implementation from user. From my view, an userstore is an object that can give me access to the data I need, thusly the authentication can be done. You can think this userstore as an independent POJO. I am writing an userstoreauthenticationDaoImp, which has the user store in side, What I have trouble is the GrantedAuthoried[]. \

For somereason, I can't get the userdetail setup correctly, can I get some help there?
I believe if I finish this implementation, I can get the userstore to work. I wonder how the User constructor work, or there is another way to init it.
Thanks ben

The GrantedAuthority[]s get passed to the AccessDecisionManager, so it can decide whether the principal has the required authorities to call a secure object.

Typically you implement a separate database table to hold your authorities, such as shown in the sample schema at http://acegisecurity.sourceforge.net/dbinit.txt. You can normalise it a little better, into say a USER and AUTHORITY table, plus a USER-AUTHORITY link table. Your DAO implementation would typically create a GrantedAuthorityImpl instance for each matching row in AUTHORITY.